@ -4,7 +4,6 @@ import (
"context"
"context"
"crypto/x509"
"crypto/x509"
"net/http"
"net/http"
"regexp"
"strings"
"strings"
"time"
"time"
@ -115,20 +114,18 @@ func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identit
switch k := p . ( type ) {
switch k := p . ( type ) {
case * OIDC :
case * OIDC :
// OIDC principals would be:
// OIDC principals would be:
// ~~1. Preferred usernames.~~ Note: Under discussion, currently disabled
// ~~1. Preferred usernames.~~ Note: Under discussion, currently disabled
// 2. Sanitized local.
// 2. Sanitized local.
// 3. Raw local (if different).
// 3. Raw local (if different).
// 4. Email address.
// 4. Email address.
name := SanitizeSSHUserPrincipal ( email )
name := SanitizeSSHUserPrincipal ( email )
if ! sshUserRegex . MatchString ( name ) {
return nil , errors . Errorf ( "invalid principal '%s' from email '%s'" , name , email )
}
usernames := [ ] string { name }
usernames := [ ] string { name }
if i := strings . LastIndex ( email , "@" ) ; i >= 0 {
if i := strings . LastIndex ( email , "@" ) ; i >= 0 {
usernames = append ( usernames , email [ : i ] )
usernames = append ( usernames , email [ : i ] )
}
}
usernames = append ( usernames , email )
usernames = append ( usernames , email )
return & Identity {
return & Identity {
// Remove duplicated and empty usernames.
Usernames : SanitizeStringSlices ( usernames ) ,
Usernames : SanitizeStringSlices ( usernames ) ,
} , nil
} , nil
default :
default :
@ -178,8 +175,6 @@ func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certif
return nil
return nil
}
}
var sshUserRegex = regexp . MustCompile ( "^[a-z][-a-z0-9_]*$" )
// SanitizeStringSlices removes duplicated an empty strings.
// SanitizeStringSlices removes duplicated an empty strings.
func SanitizeStringSlices ( original [ ] string ) [ ] string {
func SanitizeStringSlices ( original [ ] string ) [ ] string {
output := [ ] string { }
output := [ ] string { }